IC84752: SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED PROCEDURE INFRASTRUCTURE (CVE-2012-2197).

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • A stack buffer overflow vulnerability in Java Stored Procedure
    infrastructure could be exploited to attain remote code
    execution.
    
    To exploit the vulnerability the malicious user would need:
    1) Valid credential to connect to database
    2) CONNECT privilege on database
    3) A Java stored procedure to which the user has EXECUTE
    privilege.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 systems on all Linux, Unix and Windows platforms at  *
    * service levels from Version 9.5 GA through to Version 9.5    *
    * Fix Pack 9.                                                  *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Security Bulletin: Buffer Overflow Vulnerability in IBM  *
    * DB2 Java Stored Procedure Infrastructure                     *
    *                                                              *
    * (CVE-2012-2197).                                             *
    * http://www.ibm.com/support/docview.wss?uid=swg21607628       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Refer to the following security bulletin to evaluate the     *
    * potential impact in your environment.                        *
    * Security Bulletin: Buffer Overflow Vulnerability in IBM DB2  *
    * SQL/PSM Stored Procedure Infrastructure (CVE-2012-4826).     *
    * http://www.ibm.com/support/docview.wss?uid=swg21614536       *
    ****************************************************************
    

Problem conclusion

  • An incomplete fix for this problem was introduced in DB2 Version
    9.5 Fix Pack 10.
    The fix for APAR IC86765 will complete the fix.
    See Security Bulletin: Buffer Overflow Vulnerability in IBM DB2
    SQL/PSM Stored Procedure Infrastructure (CVE-2012-4826).
    http://www.ibm.com/support/docview.wss?uid=swg21614536
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC84752

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    950

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-06-19

  • Closed date

    2012-08-21

  • Last modified date

    2012-12-19

  • APAR is sysrouted FROM one or more of the following:

    IC84555

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R910 PSN

       UP

  • R950 PSN

       UP

  • R970 PSN

       UP

  • R980 PSN

       UP

  • RA10 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.5

Reference #:

IC84752

Modified date:

2012-12-19

Translate my page

Machine Translation

Content navigation